dect
/
linux-2.6
Archived
13
0
Fork 0
Code Releases Activity

x86: Don't leak 64-bit kernel register values to 32-bit processes 

While 32-bit processes can't directly access R8...R15, they can
gain access to these registers by temporarily switching themselves
into 64-bit mode.

Therefore, registers not preserved anyway by called C functions
(i.e. R8...R11) must be cleared prior to returning to user mode.

Signed-off-by: Jan Beulich <jbeulich@novell.com>
Cc: <stable@kernel.org>
LKML-Reference: <4AC34D73020000780001744A@vpn.id2.novell.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
This commit is contained in:
Jan Beulich 2009-09-30 11:22:11 +01:00 committed by Ingo Molnar
parent 4701472e44
commit 24e35800cd
1 changed files with 23 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
arch/x86/ia32/ia32entry.S
View File

@ -21,8 +21,8 @@
#define __AUDIT_ARCH_LE 0x40000000 #define __AUDIT_ARCH_LE 0x40000000
#ifndef CONFIG_AUDITSYSCALL #ifndef CONFIG_AUDITSYSCALL
#define sysexit_audit int_ret_from_sys_call #define sysexit_audit ia32_ret_from_sys_call
#define sysretl_audit int_ret_from_sys_call #define sysretl_audit ia32_ret_from_sys_call
#endif #endif
#define IA32_NR_syscalls ((ia32_syscall_end - ia32_sys_call_table)/8) #define IA32_NR_syscalls ((ia32_syscall_end - ia32_sys_call_table)/8)
@ -39,12 +39,12 @@
.endm .endm
/* clobbers %eax */ /* clobbers %eax */
.macro CLEAR_RREGS _r9=rax .macro CLEAR_RREGS offset=0, _r9=rax
xorl %eax,%eax xorl %eax,%eax
movq %rax,R11(%rsp) movq %rax,\offset+R11(%rsp)
movq %rax,R10(%rsp) movq %rax,\offset+R10(%rsp)
movq %\_r9,R9(%rsp) movq %\_r9,\offset+R9(%rsp)
movq %rax,R8(%rsp) movq %rax,\offset+R8(%rsp)
.endm .endm
/* /*
@ -172,6 +172,10 @@ sysexit_from_sys_call:
movl RIP-R11(%rsp),%edx /* User %eip */ movl RIP-R11(%rsp),%edx /* User %eip */
CFI_REGISTER rip,rdx CFI_REGISTER rip,rdx
RESTORE_ARGS 1,24,1,1,1,1 RESTORE_ARGS 1,24,1,1,1,1
xorq %r8,%r8
xorq %r9,%r9
xorq %r10,%r10
xorq %r11,%r11
popfq popfq
CFI_ADJUST_CFA_OFFSET -8 CFI_ADJUST_CFA_OFFSET -8
/*CFI_RESTORE rflags*/ /*CFI_RESTORE rflags*/
@ -202,7 +206,7 @@ sysexit_from_sys_call:
.macro auditsys_exit exit,ebpsave=RBP .macro auditsys_exit exit,ebpsave=RBP
testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10) testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10)
jnz int_ret_from_sys_call jnz ia32_ret_from_sys_call
TRACE_IRQS_ON TRACE_IRQS_ON
sti sti
movl %eax,%esi /* second arg, syscall return value */ movl %eax,%esi /* second arg, syscall return value */
@ -218,8 +222,9 @@ sysexit_from_sys_call:
cli cli
TRACE_IRQS_OFF TRACE_IRQS_OFF
testl %edi,TI_flags(%r10) testl %edi,TI_flags(%r10)
jnz int_with_check jz \exit
jmp \exit CLEAR_RREGS -ARGOFFSET
jmp int_with_check
.endm .endm
sysenter_auditsys: sysenter_auditsys:
@ -329,6 +334,9 @@ sysretl_from_sys_call:
CFI_REGISTER rip,rcx CFI_REGISTER rip,rcx
movl EFLAGS-ARGOFFSET(%rsp),%r11d movl EFLAGS-ARGOFFSET(%rsp),%r11d
/*CFI_REGISTER rflags,r11*/ /*CFI_REGISTER rflags,r11*/
xorq %r10,%r10
xorq %r9,%r9
xorq %r8,%r8
TRACE_IRQS_ON TRACE_IRQS_ON
movl RSP-ARGOFFSET(%rsp),%esp movl RSP-ARGOFFSET(%rsp),%esp
CFI_RESTORE rsp CFI_RESTORE rsp
@ -353,7 +361,7 @@ cstar_tracesys:
#endif #endif
xchgl %r9d,%ebp xchgl %r9d,%ebp
SAVE_REST SAVE_REST
CLEAR_RREGS r9 CLEAR_RREGS 0, r9
movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */ movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
movq %rsp,%rdi /* &pt_regs -> arg1 */ movq %rsp,%rdi /* &pt_regs -> arg1 */
call syscall_trace_enter call syscall_trace_enter
@ -425,6 +433,8 @@ ia32_do_call:
call *ia32_sys_call_table(,%rax,8) # xxx: rip relative call *ia32_sys_call_table(,%rax,8) # xxx: rip relative
ia32_sysret: ia32_sysret:
movq %rax,RAX-ARGOFFSET(%rsp) movq %rax,RAX-ARGOFFSET(%rsp)
ia32_ret_from_sys_call:
CLEAR_RREGS -ARGOFFSET
jmp int_ret_from_sys_call jmp int_ret_from_sys_call
ia32_tracesys: ia32_tracesys:
@ -442,8 +452,8 @@ END(ia32_syscall)
ia32_badsys: ia32_badsys:
movq $0,ORIG_RAX-ARGOFFSET(%rsp) movq $0,ORIG_RAX-ARGOFFSET(%rsp)
movq $-ENOSYS,RAX-ARGOFFSET(%rsp) movq $-ENOSYS,%rax
jmp int_ret_from_sys_call jmp ia32_sysret
quiet_ni_syscall: quiet_ni_syscall:
movq $-ENOSYS,%rax movq $-ENOSYS,%rax